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MODEL  CHECKING  IS  REFINEMENT* 

—  RELATING  BUCHI  TESTING  AND  LINEAR-TIME  TEMPORAL  LOGIC  — 

RANCE  CLEAVEL AND t  AND  GERALD  LUTTGEN* 


Abstract.  This  paper  develops  a  semantic  foundation  for  reasoning  about  reactive  systems  specifications 
featuring  combinations  of  labeled  transition  systems  and  formulas  in  linear-time  temporal  logic  (LTL).  Using 
Buchi  automata  as  a  semantic  basis,  the  paper  introduces  two  refinement  preorders  based  on  DeNicola  and 
Hennessy’s  notion  of  may-  and  must-testing.  Alternative  characterizations  for  these  relations  are  provided 
and  used  to  show  that  the  new  preorders  are  conservative  extensions  of  the  traditional  DeNicola  and  Hennessy 
preorders.  The  paper  then  establishes  a  tight  connection  between  LTL  formula  satisfaction  and  the  Biichi 
must-preorder.  More  precisely,  it  is  shown  that  a  labeled  transition  system  satisfies  an  LTL  formula  if 
and  only  if  it  refines  an  appropriately  defined  Buchi  automaton  that  can  be  constructed  from  the  formula. 
Consequently,  the  Biichi  must-preorder  allows  for  a  uniform  treatment  of  traditional  notions  of  process 
refinement  and  model  checking.  The  implications  of  the  novel  theory  are  illustrated  by  means  of  a  simple 
example  system,  in  which  some  components  are  specified  as  transition  systems  and  others  as  LTL  formulas. 

Key  words.  Biichi  automata,  temporal  logic,  process  algebra,  refinement  preorder,  specification,  testing 

Subject  classification.  Computer  Science 

1.  Introduction.  Two  schools  of  thought  have  emerged  in  the  field  of  formal  methods  for  designing  and 
reasoning  about  reactive  systems.  The  first  advocates  the  use  of  assertional  approaches,  in  which  different 
formalisms  are  employed  for  describing  system  specifications  and  implementations.  Typically,  implementa¬ 
tions  are  given  in  an  operational,  programming-oriented  notation,  while  specifications  are  presented  in  a 
declarative,  logical  style.  The  semantics  of  assertions  is  then  applied  to  determine  whether  an  implementa¬ 
tion  satisfies  its  specification.  An  example  for  this  paradigm  is  model  checking  [5,  31,  36],  where  temporal 
logics  are  used  to  specify  properties  that  systems  modeled  by  Kripke  structures  or  labeled  transition  sys¬ 
tems  should  satisfy.  The  second  school  favors  refinement  approaches  in  which  a  single  formalism  that  is 
equipped  with  a  refinement  relation  is  employed  to  represent  a  system’s  specification  and  implementation. 
An  implementation  is  deemed  correct  if  it  refines  its  specification.  Process  algebras  [19,  27]  fall  into  this  clas¬ 
sification,  with  traditional  refinement  relations  being  either  behavioral  equivalences,  e.g.,  bisimulation  [27], 
or  preorders,  e.g.,  based  on  failures  or  testing  [3,  11]. 

Both  paradigms  have  advantages  and  disadvantages.  Assertional  approaches  typically  allow  the  formu¬ 
lation  of  loose  specifications  which  afford  implementors  great  latitude  in  their  design  decisions;  but  they  have 
difficulty  in  supporting  compositional  reasoning ,  owing  to  the  fact  that  the  implementation  and  specification 
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languages  are  different.  On  the  other  hand,  compositionality  is  a  hallmark  of  refinement  approaches,  since 
one  may  typically  refine  one  part  of  a  system  design  independently  of  others.  However,  refinement-based 
specifications  are  often  seen  as  too  detailed  and,  hence,  too  constraining  for  implementors.  A  formalism  that 
marries  the  benefits  of  the  two  styles  would  have  obvious  benefits,  as  the  flexibility  of  assertional  specifica¬ 
tions  could  be  combined  with  the  virtues  of  refinement-oriented  compositionality.  Such  a  framework  would 
for  example  permit  a  project  manager  to  give  loose,  assertional  specifications  of  different  system  components 
to  different  design  teams.  If  the  the  composition  of  the  abstract  specifications  have  been  determined  to 
satisfy  a  desired  global  system  specification,  the  individual,  detailed  operational  component  designs  returned 
by  the  groups  would  be  guaranteed  to  “compose”  correctly. 

The  goal  of  this  paper  is  to  develop  a  unified  semantic  theory  for  heterogeneous  system  specifications 
featuring  mixtures  of  labeled  transition  systems  and  formulas  in  linear-time  temporal  logic  (LTL).  Using  Biichi 
automata  [34]  and  the  testing  framework  of  DeNicola  and  Hennessy  [11]  as  starting  points,  we  approach  this 
problem  by  developing  Biichi  may-  and  must-preorders  that  relate  Biichi  processes  on  the  basis  of  their 
responses  to  Biichi  tests .  For  these  refinements  preorders,  we  provide  alternative  characterizations  and 
employ  them  for  proving  conservative-extension  results  regarding  DeNicola  and  Hennessy’s  testing  theory. 
We  then  establish  the  key  result  of  this  paper,  namely  that  LTL  model  checking  may  be  reduced  to  refinement 
checking.  More  precisely,  a  Biichi  process  B#  can  be  constructed  from  an  LTL  formula  <j>  in  such  a  way  that 
a  labeled  transition  system  satisfies  0  if  and  only  if  it  is  larger  than  for  the  Biichi  must-preorder.  Finally, 
we  show  that  our  must-preorder  is  compositional  for  a  parallel  composition  operator  that  is  inspired  by  the 
one  of  CCS  [27],  and  illustrate  our  technical  results  by  a  small  example  featuring  the  heterogeneous  design 
of  a  generic  communication  protocol. 

The  remainder  of  this  paper  is  structured  as  follows.  The  next  section  motivates  our  work  by  means 
of  an  example.  Section  3  develops  a  theory  of  Biichi  testing,  including  characterizations  of  the  preorders 
under  consideration  and  their  relation  to  well-established  testing  preorders.  The  connection  between  Biichi 
must-testing  and  LTL  model  checking  is  investigated  in  Section  4.  The  specification  framework  is  then 
applied  to  the  example  in  Section  5,  while  Section  6  discusses  related  work.  Finally,  Section  7  contains  our 
conclusions  and  directions  for  future  work.  The  proofs  of  our  main  theorems  are  given  in  the  appendix. 


2.  Motivating  Example.  As  motivation  for  the  work  in  this  paper,  consider  the  design  of  a  very 
simple  communication  protocol  given  in  Figure  2.1. 

send  recv 


The  architecture  of  the  protocol  has  already  been  fixed  by  the  system  designers  and  consists  of  a  sender 
Sender,  a  medium  Medium,  and  a  receiver  Receiver.  The  components  communicate  with  the  protocol’s 
environment  and  among  themselves  via  channels.  In  case  of  component  Sender,  these  are  the  channels 
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send,  put,  and  gack  ( get  acknowledgment).  We  use  the  notation  ch?  and  ch!  to  indicate  the  reception 
and  sending  of  a  message  from  and  to  channel  ch,  respectively,  and  refer  to  these  activities  as  actions . 
Each  component  in  turn  has  its  own  specification.  Receiver  and  Medium  are  given  as  labeled  transition 
systems,  reflecting  the  fact  that  their  designs  are  relatively  advanced.  The  Sender,  in  contrast,  is  specified 
assertionally  by  an  LTL  formula,  i.e.,  on  an  abstract  specification  level.  The  formula  states  that  whenever 
a  send?  action  occurs  during  an  execution  sequence  of  the  sender,  the  remainder  of  the  execution  must 
begin  with  a  sequence  of  put !  actions  followed  by  a  gack?  action.1  Finally,  the  overall  specification  of  the 
protocol’s  required  behavior  may  be  given  by  the  following  LTL  formula. 

Spec  =cif  G  (send?  ->  (F  recv!)) 

This  formula  encodes  a  certain  reliability  guarantee  of  the  protocol  regarding  the  eventual  delivery  of  mes¬ 
sages.  More  precisely,  it  dictates  that  in  any  sequence  of  actions  which  the  system  performs,  whenever  a 
send?  action  occurs,  a  recv!  action  eventually  follows.  An  obvious  question  that  a  designer  would  be  in¬ 
terested  in  is  whether  the  specification  of  the  sender  is  “strong  enough”  to  ensure  that  the  protocol  satisfies 
Spec.  The  theory  developed  in  this  paper  provides  the  semantic  framework  for  answering  this  question. 

A  positive  answer  should  be  preserved  when  Sender  is  refined  by  a 
labeled  transition  system  satisfying  its  LTL  formula  given  in  Figure  2.1, 
such  as  the  one  depicted  on  the  right.  For  this  to  be  the  case,  the  un¬ 
derlying  refinement  relation  must  be  compatible  with  LTL  satisfaction. 

Moreover,  it  must  be  compositional,  since  Sender  cannot  be  considered 
in  isolation,  but  is  just  one  component  of  a  larger  system.  Again,  the 
theory  to  be  developed  will  support  such  a  notion  of  refinement. 

3.  A  Theory  of  Biichi  Testing.  In  this  section  we  extend  the  testing  theory  of  DeNicola  and  Hen- 
nessy  [11],  which  was  developed  for  labeled  transition  systems  in  a  process-algebraic  setting  [11],  to  Biichi 
automata.  Traditional  testing  relates  labeled  transition  systems  with  respect  to  their  responses  to  tests 
via  two  preorders,  the  may-  and  must-preorders ,  which  distinguish  whether  systems  may  or  must  pass  the 
considered  tests.  The  must-preorder  has  proved  especially  interesting  because  of  various  full-abstractness 
results  that  have  been  established  for  it  [26]  and  also  because  it  is  compositional  with  respect  to  a  number 
of  different  process  constructs,  including  the  parallel  operators  in  Milner’s  CCS  [27]  and  Hoare’s  CSP  [19]. 

In  this  paper,  we  use  Biichi  automata  as  a  basis  for  reasoning  about  mixed  operational  and  assertional 
specifications.  These  automata  extend  labeled  transition  systems  by  means  of  an  acceptance  condition  for 
infinite  traces.  However,  the  traditional  Biichi  semantics,  which  identifies  automata  having  the  same  infinite 
languages,  is  in  general  not  compositional  with  respect  to  parallel  composition  operators,  since  it  is  insensitive 
to  the  potential  for  deadlock.  Our  testing  semantics  is  intended  to  overcome  this  problem.  In  the  sequel, 
we  refer  to  Biichi  automata  as  Biichi  processes  to  emphasize  that  we  are  equipping  Biichi  automata  with 
a  different  semantics  than  the  traditional  one.  In  what  follows,  we  first  define  Biichi  processes  and  several 
notions  of  traces  and  languages.  We  then  introduce  our  notion  of  Biichi  testing ,  develop  Biichi  may-  and 
must-preorders,  establish  alternative  characterizations  for  the  preorders,  and  show  them  to  be  conservative 
extensions  of  DeNicola  and  Hennessy’s  may-  and  must-preorders. 

1In  this  paper,  we  assume  that  LTL  formulas  are  interpreted  with  respect  to  sequences  of  actions  rather  than  sequences 
of  states,  as  is  traditionally  the  case  [30].  In  formulas,  we  use  actions  a  as  atomic  propositions,  where  a  sequence  of  actions 
satisfies  proposition  a  if  its  first  element  is  action  a.  The  adaptation  of  the  LTL  semantics  is  straightforward  (cf.  Section  4). 


put 
gack 

Fig.  2.2.  Refinement  of  Sender 


send 
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3.1.  Basic  Definitions.  Our  semantic  framework  is  defined  relative  to  some  alphabet  A ,  i.e.,  a  count¬ 
able  set  of  actions  which  does  not  include  the  distinguished  unobservable ,  internal  action  r.  In  the  sequel,  we 
let  a,  6, . . .  range  over  A  and  a,  /?, . . .  over  AU{r}.  Biichi  processes  are  distinguished  from  labeled  transition 
systems  in  their  treatment  of  infinite  traces.  Whereas  in  labeled  transition  systems  all  infinite  traces  are 
typically  deemed  possible,  in  Biichi  processes  only  those  infinite  traces  that  go  through  designated  Biichi 
states  infinitely  often  are  considered  actual  executions. 

Definition  3.1  (Biichi  process  &  labeled  transition  system).  A  Biichi  process  is  a  tuple  (P,  — 
where  P  is  a  countable  set  of  states,  — >  CPx(iU  {r})  x  P  is  the  transition  relation,  y/  C  S  is  the  Biichi 
set,  and  p  e  P  is  the  start  state.  If  yj  —  P  we  refer  to  the  Biichi  process  as  labeled  transition  system,  in 
accordance  with  standard  terminology . 

For  convenience,  we  often  write  (i)  p'  -^4  p"  instead  of  {p',a,p")  €  — >,  (ii)  p‘  -^4  for  3p"  G  P.p1  -^4  p", 
(iii)  p'  — y  for  3a  €  AU  {r},  p"  G  P.  p1  -^4  p",  and  (iv)  pV  for  P*  €  y/.  If  no  confusion  arises,  we  abbreviate 
the  Biichi  process  (P,  — >,  -y^p)  by  its  start  state  p  and  refer  to  its  transition  relation  and  Biichi  set  as  — yp 
and  y/p,  respectively.  Moreover,  we  denote  the  set  of  all  Biichi  processes  by  V.  Note  that  we  do  not  require 
Biichi  processes  to  be  finite-state. 

Definition  3.2  (Path  &  trace).  Let  (P, — >,\f,p)  be  a  Biichi  process.  A  path  ir  starting  from  state 
p'  G  P  is  a  potentially  infinite  sequence  ((pj_i,  a;,pi))o<i<fc,  where  k  G  NU  {oo},  such  that  k  =  0,  or  po  =  p' 
and  p^ i  — 4-  p^  /or  all  0  <  i  <  k.  We  use  |7r|  to  refer  to  kf  the  length  of  7 r.  If  |7rj  —  oo,  we  say  that  n  is 
infinite;  otherwise ,  7r  is  finite.  If  |7r|  G  N  and p\n\-/-> ,  i.e.,  p^\  is  a  deadlock  state ,  path  7r  is  called  maximal. 
Path  7 r  is  referred  to  as  a  Biichi  path  if  |7r|  =  oo  and  |{i  G  N  [  Piy/}\  =  oo.  The  (visible)  trace  trace(7r)  of  7r 
is  defined  as  the  sequence  (a*)*^  €  A*  U  A°°,  where  I n  =df  {0  <  i  <  \n\  \  a-L  /  r}. 

We  denote  the  sets  of  all  finite  paths,  all  maximal  paths,  and  all  Biichi  paths  starting  from  state  p1  G  P  by 
nfjn(p'),  IImax(p'),  and  nB(p'),  respectively.  The  empty  path  tt  with  \ir\  -  0  is  symbolized  by  ()  and  its  empty 
trace  by  e.  We  sometimes  write  a  for  trace  (a)  and  use  the  notation  p‘  =^p  p"  to  indicate  that  state  p ' 
of  Biichi  process  p  may  evolve  to  state  p ”  when  observing  trace  w  for  some  path  7r  G  Ilfjn(p').  Formally, 
p‘  =^p  p"  if  3tt  =  ((pi-i}ai,pi))o<t<jk  €  nfin(p).po  =  p',  pk  =  p”,  and  trace(?r)  =  w.  We  may  also  introduce 
different  languages  for  Buchi  process  p. 

£fin(p)  =df  {trace(Tr)  |  7 r  G  nfi n(p)}  Q  A *  -  finite-trace  language  of  p 

£max(p)  =df  {trace (7r)  |  7T  G  IImax(p)}  C  A*  maximal-trace  language  of  p 

£B(p)  =df  {trace(7r)  |  7r  G  IIB(p)}  C  A*  U  A°°  Biichi-trace  language  of  p 

We  also  let  2p(p')  =df  {a  G  A  \  3p".p'  p"}  be  the  set  of  initial  actions  of  p  in  state  p'  G  P. 

A  key  notion  for  any  theory  of  testing  is  a  system’s  ability  to  diverge ,  i.e.,  to  engage  in  an  infinite  internal 
computation  [17].  We  say  that  state  p'  of  Biichi  process  pis  Biichi  divergent  or  simply  divergent ,  in  signs  p'  ftp* 
if  3tt  G  nB(p').  trace(7r)  =  e.  State  p'  is  called  w-divergent  for  some  w  =  (ai)o<i<fc  €  if  one  can  reach 

a  divergent  state  starting  from  p'  when  executing  a  finite  prefix  of  w,  i.e.,  if  32  G  N,  p"  G  P.  Z  <  A p'  ==^  p", 
and  p"  ffp,  where  w*  =df  (n;)o <*</•  For  convenience,  we  write  £div(p/)  for  the  divergent-trace  language  of  p', 
i.e.,  £div(p7)  = df  {w  G  *4*  U  v4°°  |p'  ftp  w).  State  p'  is  convergent  or  w-convergent,  in  signs  p'  and  p'  ftp  w, 
if  not  p'  ftp  and  not  p'  ftp  wy  respectively.  Note  that  a  finite  trace  w  G  £b(p)  indicates  that  p  is  divergent 
exactly  after  executing  w.  In  the  following,  we  often  omit  the  indices  of  the  divergence  and  convergence 
predicates,  as  well  as  of  the  transition  relations,  whenever  these  are  obvious  from  the  context.  Finally,  we 
write  w  •  wr  for  the  concatenation  of  finite  trace  w  e  A*  with  the  finite  or  infinite  trace  w*  G  A*  U  A°°. 
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3.2.  Testing  Theory.  The  traditional  testing  framework  of  DeNicola  and  Hennessy  defines  behavioral 
preorders  that  relate  labeled  transition  systems  with  respect  to  their  responses  to  tests  [11].  Tests  are 
employed  to  witness  the  external  interactions  a  system  may  have  with  its  environment.  In  our  setting,  a  test 
is  a  Biichi  process  where  certain  states  are  considered  to  be  success  states.  In  order  to  determine  whether  a 
system  passes  a  test,  one  has  to  examine  the  finite  and  infinite  computations  that  result  when  the  test  runs 
in  lock-step  with  the  system  under  consideration. 

Definition  3.3  (Test,  computation,  &  success). 

1.  A  Biichi  test  (T, — t,  Sue)  is  a  Buchi  process  (T, — \/,  together  with  a  set  Sue  C  T  of 
success  states.  If  sj  —  0,  we  call  the  test  classical.  The  set  of  all  Biichi  tests  is  denoted  by  T. 

2.  A  potential  computation  c  with  respect  to  a  Biichi  process  p  and  a  Buchi  test  t  is  a  potentially  infinite 
sequence  ((pi-i.ti-i)  ^r.  (pi,  *i))o<t<fc,  where  k  G  NU  {oo},  such  that  (1)  Pi  e  P  and  U  G  T,  for 
all  0  <  i  <  kj  and  (2)  a*  G  *4  U  {r}  and  r*  G  {«,  ►  ,  ♦  },  for  all  0  <  i  <  k.  The  relation  i — >  is  defined 
by  the  following  rules. 

•  (pi,U)  if  ai  =  r,  U- 1  =  U,  pi- 1  -^pPi,  and  U-x  i  Sue  . 

•  (pi— i)ti— i)  i  ^  (pit  tf)  if  Oil  —  t  ,  pi— i  — Pii  l  ti,  and  ti—\  Sue  . 

•  (pi-Uti-i)  i-— ^4  {Pi,ti)  if  ai  G  A,  Pi-1  pPi ,  t*-i  ti ,  and  ^  Sue. 

c  is  finite,  in  signs  \c\  <  oo,  z/fc  G  N.  Otherwise ,  it  is  infinite,  z.e.,  |c|  =  oo.  The  projection  projp(c) 
of  c  on  p  is  defined  as  ((pt-_i,  a*,  p*  ))*£/*  €  n(p),  where  =#  {0  <  i  <  G  {*,♦}},  and  tfze 
projection  projt{c)  of  c  on  t  as  ({U-i ,ai,ti))i^jc  6  n(p),  where  I£  =df  {0  <  i  <  A;  |  rz-  G  {►,  ♦}}• 
potential  computation  c  is  called  computation,  */  it  satisfies  the  following  properties:  (1)  c  is 
maximal,  i.e.3  k  €  N  implies  Pk~£+p,  tk-fi+t,  and  lp(pk)  C\lt(tk)  =  0;  and  (2)  k  —  oo  implies 
projp(c)  G  Ile(p).  The  set  of  all  computations  of  p  and  t  is  denoted  by  C(p,t). 

3.  Computation  c  is  called  successful  if  t\c\  G  Sue,  in  case  \c\  <  oo,  or  if  projt(c)  G  II b(£),  in  case 
\c\  =  oo.  IPe  say  that  p  may  pass  t,  if  there  exists  a  successful  computation  c  G  C(p,t).  Analogously , 
p  must  pass  t,  if  every  computation  c  G  C(p,  t)  is  successful. 

Intuitively,  an  infinite  computation  of  process  p  and  test  t  differs  from  an  infinite  potential  computation  in 
that  in  the  former  the  process  is  required  to  enter  a  Biichi  state  infinitely  often.  An  infinite  computation 
is  then  successful  if  the  test  also  passes  through  a  Biichi  state  infinitely  often.  Hence,  in  contrast  with  the 
original  theory  of  DeNicola  and  Hennessy,  some  infinite  computations  can  be  successful  in  our  setting.  Since 
Biichi  processes  and  Biichi  tests  potentially  exhibit  nondeterministic  behavior,  one  may  distinguish  between 
the  possibility  and  inevitability  of  success.  This  is  captured  in  the  following  definitions  of  the  Biichi  may- 
and  musi-preorders. 

Definition  3.4  (Biichi  Testing  Preorders).  Letp  and  q  be  Biichi  processes.  Then  we  define 

•  P  E cl  Q  tf  Vt  €  T.  pmaycL  t  implies  q  maych  t- 

•  P  Eczf  Q  if  Vt  eT.p  mustch  t  implies  q  muster  t. 

It  is  straightforward  to  check  that  the  relations  an(*  E cl *  on  P  are  preorders,  i*e.,  that  they  are 
reflexive  and  transitive  relations.  The  classical  may-  and  must-preorders  of  DeNicola  and  Hennessy  are 
defined  analogously,  but  on  labeled  transition  systems  and  when  restricting  T  to  classical  tests  [11]. 

3.3.  Alternative  Characterizations.  In  the  following,  we  present  alternative  characterizations  of 
the  Biichi  may-  and  must-preorders.  The  characterizations  are  similar  in  style  to  the  ones  developed  by 
DeNicola  and  Hennessy  and  provide  the  basis  for  comparing  their  testing  theory  to  our  Biichi  testing. 
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Theorem  3.5.  Letp  and  q  be  Buchi  processes .  Then 

1 .  p  Qcl  V  and  only  if  £fin{p)  Q  £fm(q)  and  CB(p)  C  CB{q)- 

2.  p  Eciff  Q  if  and  onty  if  f°r  a M  w  e  A*  U  A°°  such  that  ptyw,  the  following  hold: 

(a)  qtyw 

(b)  |uj|  <  oo;  Wq(.  q  q'  implies  3p'.p  pf  and  Xp(p')  C  Xg(g'). 

\w\  =  00 ;  w  G  £b(<?)  implies  w  G  £b(p)- 


Fig.  3.1.  Buchi  tests  used  for  characterizing  the  Buchi  may-  and  must-preorders 

With  respect  to  finite  traces,  the  characterizations  are  virtually  the  same  as  the  ones  of  DeNicola  and 
Hennessy’s  preorders  [11].  However,  we  needed  to  refine  the  classical  characterizations  in  order  to  capture 
the  sensitivity  of  Buchi  may-  and  must-testing  to  infinite  traces.  The  proof  of  the  above  characterization 
theorem  relies  on  the  properties  of  the  following  specific  Buchi  tests. 

1.  For  w  =  ( ai)0<i<k  G  A*,  let  t™ay’*  =df  (T, — >,0,0, {fc}),  where  T  =df  {0,1,...  ,k}  and  — >=df 
{(*  -  l,a.;,i)  |  0  <  *  <  k}. 

2.  For  w  =  (aj)igN  €  A°°,  let  Cy'°°  =df  (T,  — >,  T,  0, 0),  where  T  =df  N0,  — >  =df  {<*  -  1,  ah  i)  \  i  €  N}. 

3.  For  w  =  (ai)0<i<k  G  A*,  let  Cy’div  =df  {T,-^,{fc}, 0,0),  where  T  =df  {0,1,...  ,k},  — >=df 
{(*  -  l,Oi,i)  |0  <  i  <  k}  U  {( k,T,k )}. 

4.  For  w  -  ( ai)0<i<k  G  A*,  let  =df  (T,  — >,  0, 0,  {s}),  where  T  =df  {0, 1, ...  ,  k}  l+l  {s}  and  — >  =df 
{(i  —  l,Oj,i)  1 0  <  i  <  k}  U  {(i,r,  s)  |  0  <  i  <  k}. 

5.  For  w  =  (ai)ieK  €  .4°°,  let  =df  (T, — >,T  \  {s},0,  {s}),  where  T  =df  N0  W  {s}  and  — >  =df 
{(*  -  l,a,-,i)  |  i  G  N}  U  {(i, r , s)  |i  S  No}. 

6.  For  w  =  {di)o<i<k  G  A *,  let  Cust’*  =df  (T, — >,0,0,  {s}),  where  T  =df  {0,1,...  ,k}  W  {«}  and 
— >  =df  {( i  —  l,Oj,t)  |0  <  t  <  fc}  U  {(i,r,s)  1 0  <  i  <  k}. 
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7.  For  w  =  (ai)0<i<k  6  A*,  let  ^ust>max  =df  (7,  — >,  0, 0,  {su  s2}>,  where  7  =df  {0,1,...  ,k}  W  {«i,52} 
and  — >  =df  {{a  —  1,  a*,  i)  |  0  <  i  <  k}  U  {(i,  r,  S\)  |  0  <  i  <  k}  U  {{k,  a,  52)  |  a  G  A}. 

8.  For  tu  -  (o<)i€N  €  A°°,  we  define  t™ust,°°  =df  (T, — 0, 0,  {^}),  where  7  =df  No  w  {s}  and  — >=df 
{(«  -  l,a*,i)  |»  GN}U  {(i,t,«)  |i  €  N0}. 

9.  For  w  =  (aj)o<,<fc  6  >1*  and  4  C  A,  let  =df  (7,  — >,0,0,(51,52}),  where  T  =df  {0,1,.. .  ,*}  W 
{5i,52}  and  — >  =df  {{i  -  l,a<,»)  1 0  <  i  <  k}  U  {(*,r,si)  |0  <  i  <  k}  U  (<fc,a,s2)  |  a  G  A}. 

In  order  to  increase  comprehension,  we  also  graphically  depict  the  Biichi  tests  in  Figure  3.1.  Here,  Biichi 
states  are  marked  by  the  symbol  yj  and  success  states  are  distinguished  from  regular  states  by  thick  borders. 
Intuitively,  while  Biichi  tests  t™ay’*  and  t™ay,°°  test  for  the  presence  of  finite  and  Biichi  trace  w,  respectively, 
Biichi  tests  £™y,dIv  and  are  capable  of  detecting  divergent  behavior  when  executing  trace  w.  Biichi 
tests  £™ust’*,  ££)ust,max,  and  £™ust>°°  are  concerned  with  the  absence  of  finite  trace,  maximal  trace,  and  Biichi 
trace  w,  respectively.  Finally,  Biichi  test  t™vj£  is  capable  of  comparing  the  initial  action  sets  of  states  reached 
when  executing  trace  w  with  respect  to  set  AC  A. 

Our  specific  Biichi  tests  satisfy  the  following  desired  properties.  Their  proofs  are  simple  analyses  of  the 
potential  computations  arising  when  running  the  Biichi  tests  in  lock-step  with  arbitrary  Biichi  processes. 

Lemma  3.6.  Let  p  be  a  Biichi  process. 

1.  Let  w  e  A*.  Then ,  w  G  £fin(p)  if  and  only  if  pmaych  Cay’*- 

2.  Let  w  G  A°°.  Then ,  w  G  £b(p)  if  and  only  if  p  maych  Cay,°°* 

3.  Let  w  G  A*.  Then,  w  G  £b(p)  if  and  only  ifpmayCL  t™ay'd,v. 

4 .  Let  w  e  A*  U  A°° .  Then,  p  (L-  w  if  and  only  if  pmustch 

5.  Let  w  G  A*  such  that  p$w.  Then,  w  £  £f,n(p)  if  and  only  if  p  mustCL  t™ust'* . 

6.  Let  w  G  A*  such  that  ptyw.  Then,  w  £max(p)  if  and  only  if  p  mustcL  t™u5t'max. 

7.  Letw  G  A°°  such  thatptyw.  Then,  w  $  £b(p)  if  and  only  if  p  mustCL  t™ust'°°. 

The  proof  of  Theorem  3.5  relies  extensively  on  these  intuitive  properties  of  Biichi  tests  and  can  be  found 
in  Appendix  A.l.  For  finite  traces,  it  proceeds  analogously  to  the  corresponding  proofs  in  [11].  For  infinite 
traces,  it  employs  the  infinite-state  tests  £™ay’°°,  and  £™ust’°°  for  the  “=»”  proof  directions,  while  the 
reverse  directions  can  be  proved  directly  along  the  according  definition  of  successful  computation.  Note  that 
the  usage  of  infinite-state  tests  —  even  when  relating  finite-state  Biichi  processes  —  is  justified  by  our  view 
that  Biichi  tests  represent  the  arbitrary,  potentially  irregular  behavior  of  the  unknown  system  environment. 

3.4.  Conservative  Extensions  Results.  In  this  section  we  investigate  the  relation  of  our  Biichi 
may-  and  must-preorders  to  the  corresponding  classical  preorders,  and  respectively,  as  defined 

by  DeNicola  and  Hennessy  [11].  It  should  be  noted  that  their  framework  is  restricted  to  image-finite  labeled 
transition  systems  and  classical,  image-finite  tests;  a  labeled  transition  system  or  Biichi  process  is  called 
image-finite  if  every  state  has  only  a  finite  number  of  outgoing  transitions  for  any  action. 

Theorem  3.7.  Letp  and  q  be  image-finite  labeled  transition  systems. 

1.  If  p  and  q  are  convergent,  then  p  q  if  and  only  if  p  q * 

2.  p  Cql*  q  if  and  only  if  p  ESi?  7 

We  refer  the  reader  to  Appendix  A. 2  for  the  proof  of  this  theorem.  In  a  nutshell,  the  second  part  follows 
by  inspection  of  the  alternative  characterizations  of  Cgjjf  and  Cgjf .  The  validity  of  the  first  part  is  a 
consequence  of  a  result  established  by  Narayan  Kumar  et  al.  in  [28].  They  introduced  a  notion  of  Biichi 
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testing  for  labeled  transition  systems  only,  rather  than  for  the  more  general  class  of  Biichi  processes,  and 
they  required  labeled  transition  systems  and  Biichi  tests  to  be  convergent  and  image-finite.  Relative  to  their 
restricted  framework,  it  is  easy  to  see  that  our  and  their  definitions  of  Biichi  tests  and  passing  tests  coincide. 
Narayan  Kumar  et  al.  showed  that  their  Biichi  may-  and  must-preorders  coincide  with  the  ones  of  DeNicola 
and  Hennessy,  i.e.,  (convergent)  Biichi  tests  do  not  add  distinguishing  power  to  classical  tests,  if  only  labeled 
transition  systems  are  taken  into  account. 

Note  that  Theorem  3.7(1)  is  invalid  if  one  allows  divergent  labeled  transition  systems.  As  a  counterex¬ 
ample  consider  the  labeled  transition  systems  ({p},  {{p,  T,p)},  {p},p)  and  ({q},  0,  {<?},  q ),  as  well  as  the  Biichi 
test  <{£},  {«},*, 0).  Then,  p  q  since  0  =  Ain(p)  C  Ain(<7)  -  {e}>  but  pQcl  <1  since  pmayCL  t 

and  qrrfeycL  t.  The  reason  for  the  latter  is  that  the  infinite  computation  c  €  C(p,  t),  where  p  and  t  alternately 
engage  in  a  r-transition,  is  successful.  However,  the  only  computation  of  q  and  t  is  the  empty  computation. 
This  computation  is  unsuccessful  since  the  set  of  success  states  of  t  is  empty.  ■ 


4.  Biichi  Must-testing,  Trace  Inclusion,  &  Linear-time  Temporal  Logics.  In  this  section  we 
establish  a  connection  between  the  Biichi  must-preorder  Cg£st  and  the  satisfaction  relation  |=  for  linear-time 
temporal  logic  (LTL).  More  specifically,  our  goal  is  to  show  how  to  construct  a  Biichi  process  B $  from  an 
LTL  formula  <£  in  such  a  way  that  p  |=  (j)  if  and  only  if  B#  Cgjf*  p,  for  any  labeled  transition  system  p. 
(Recall  that  a  labeled  transition  system  is  a  Biichi  process  in  which  every  state  is  a  Biichi  state.)  Our 
result  builds  on  automata-theoretic  approaches  to  LTL  model  checking  developed  by  Vardi  and  Wolper  [36] 
and  others  [6,  15,  20].  These  approaches  reduce  the  model-checking  problem  to  one  of  checking  language 
containment  between  Biichi  automata  and  rely  on  the  generation  of  Biichi  automata  from  LTL  formulas.  To 
achieve  our  goal,  we  first  show  that  coincides  with  a  form  of  trace  inclusion  when  the  lower  process  is 
“purely  nondeterministic.”  Then  we  illustrate  how  the  classical  constructions  of  Biichi  automata  from  LTL 
formulas  may  be  adapted  to  cope  with  the  phenomena  of  deadlock  and  divergence  that  labeled  transition 
systems  potentially  exhibit.  In  what  follows  we  assume  that  the  set  A  of  actions  is  finite. 


4.1.  Biichi  Must-testing  &  Reverse  Trace  Inclusion.  We  start  by  characterizing  the  Biichi  must- 
preorder  for  a  certain  class  of  Biichi  processes  by  means  of  trace  inclusion.  To  state  our  result,  we  need  to 
introduce  the  notion  of  pure  nondeterminism .  We  call  a  Biichi  process  p  purely  nondeterministic,  if  for 
all  p '  e  P:  (i)  p‘  p  implies  p'  -/4P,  for  all  a  £  A,  and  (ii)  |{(a,p")  €  Ax  P\p'  -%p  p"}|  =  1.  Note 
that  every  Biichi  process  p  can  be  transformed  to  a  purely  nondeterministic  Biichi  process  p',  such  that 
£di v(p)  =  £div(p'),  Ain (p)  =  Ain(p'),  £max(p)  =  Ana x(p'),  and  CB(p)  =  A* (p')>  by  splitting  every  transition 
p'  p  p"  into  two  transitions  p'  -Ap  P(p',a,p")  — *P  p”,  where  P(p'ja,p")  ^  P  is  a  new,  distinguished  state. 


Theorem  4.1.  Let  p  and  q  be  Biichi  processes  such  that  p  is  purely  nondeterministic.  Then,  p  Q 


if  and  only  if 


(z)  £div(q)  £  £div{p) 

(il)  Cfin(q)  \£div(p)  C  A/n(p) 

(Hi)  T'max(q)  \  £d/v(p)  Tmax(p) 
(iv)  CB(q)  \  £div(p)  C  CB(p) 


(4.1) 


The  proof  of  the  “=>” -direction  again  exploits  Lemma  3.6,  while  the  “<^=” -direction  follows  by  considering 
the  contrapositive.  Details  can  be  found  in  Appendix  A. 3.  The  necessity  of  the  premise  of  this  theorem  is  il¬ 
lustrated  by  the  following  example.  Consider  the  Biichi  processes  p  =df  ({PiiP2}j  {{pi,  a,pi),  (Pi>  &>P2)}>  0>Pi) 
and  q  =df  ({^i,  42},  {(fli,  g2)}3  Then  p  is  not  purely  nondeterministic  and  Equation  4.1  obviously 

holds,  but  p2cLSt  Q  since  pmustcL  t  and  q  rphstcL  t ,  for  the  Biichi  test  t  =df  ({^1,^2}?  {(^i,  a,  *2)},  0,£i>  {^2})- 
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4.2.  Constructing  Biichi  Processes  from  LTL  Formulas.  We  now  define  the  version  of  LTL  that 
is  considered  in  the  sequel  and  show  how  an  LTL  formula  may  be  converted  into  a  purely  nondeterministic 
Biichi  process,  whose  languages  contain  the  traces  that  satisfy  the  formula. 

4.2.1.  Syntax  and  Semantics  of  LTL.  Our  variant  of  LTL  interprets  formulas  with  respect  to  se¬ 
quences  of  actions  [14]  rather  than  states  [13],  since  in  our  setting  transitions  and  not  states  are  labeled. 
Accordingly,  atomic  propositions  will  also  be  interpreted  with  respect  to  actions.  Moreover,  our  variant 
extends  traditional  LTL  in  that  its  semantics  is  given  with  respect  to  infinite  and  finite  traces,  i.e.,  words 
in  A*  U  .A00  [25].  This  permits  formulas  to  constrain  ongoing  as  well  as  deadlocking  behavior.  The  formal 
syntax  for  LTL  formulas  is  defined  by  the  following  BNF. 

<j>  ::=  tt  |  ff  |  a  |  ~>a  |  (j)A(j)  |  |  X(p  \  X(j)  |  |  (fAfj) 

Here,  a  £  A  is  an  atomic  proposition  that  is  true  of  action  a  and  false  for  all  other  actions.  Moreover,  X  is  the 
dual  of  the  next-state  operator  X,  which  in  contrast  with  traditional  LTL  is  not  self-dual  in  our  setting  since 
we  admit  finite  traces  as  models.  In  the  following,  we  denote  the  set  of  all  LTL  formulas  by  J~ .  We  say  that 
a  trace  w  —  (ai)o<i<*.  €  A*  U  A°°  satisfies  <j)  if  w  \=  </)  holds.  The  relation  \=  C  ( A *  U  A°°)  x  T  is  the  least 
relation  satisfying  the  conditions  in  Table  4.1,  where  Wj  stands  for  (oz)j<i<fc  £  A* ,  for  any  1  <  j  <  &.  We  also 
say  that  a  Biichi  process  p  satisfies  LTL  formula  0,  in  signs  p  |=  </>,  if  Vw  £  £max(p)U£B(p)U£div(p)-  w  \=  <j>.  It 
should  be  noted  that  our  syntax  limits  the  application  of  negation  to  actions,  rather  than  generally  defining 
a  formula  -«£  with  meaning  w  |=  -></>  if  w  (j).  This  is  not  a  restriction  since  our  logic  is  self-dual ,  i.e.,  the 
operators  A  and  V,  X  and  X,  and  U  and  V  are  dual  to  each  other. 

Table  4.1 

Semantics  of  LTL  formulas 


w  |=  tt 
w  [=  a 

if 

w  ^  e  and  a\  =  a 

w  \=  — 

if 

w  #a 

W  [=  <j)\  A  (j>2 

if 

w  f=  <j>\  and  w  |=  (j>2 

W  [=  <j>i  V  (j)2 

if 

w  |=  4>i  or  w  [=  (j)2 

w  |=  X<f> 

if 

w  ^  e  and  W2  \=  </> 

w\=X<p 

if 

w  ^  e  implies  w2  \=  (j) 

W  |=  <j)lV(j)2 

if 

30  <  i  <  k.  Wi  \=  $2  and  VO  <  j  <  i.  Wj  \=  <p\ 

W  f=  0lV02 

if 

(VO  <  i  <  k.  Wi  \=  (j)2)  or  (30  <  i  <  k.  Wi  \=  j> i  and  VO  <  j  <  i .  Wj  <f> 2 ) 

The  intuitive  meaning  of  the  LTL  operators  is  the  following.  The  symbols  tt  and  ff  stand  for  the 
propositional  constants  true  and  false ,  which  are  satisfied  by  every  trace  and  no  trace,  respectively.  A  .finite 
or  infinite  trace  satisfies  the  atomic  proposition  a  if  the  trace  is  not  empty  and  if  its  first  action  is  a.  It 
satisfies  ->a  if  it  does  not  satisfy  a.  The  propositional  constructs  A  and  V  have  their  usual  interpretation 
as  conjunction  and  disjunction ,  respectively.  The  unary  operators  X  and  X  represent  next-state  operators. 
Intuitively,  the  trace  a  •  w  satisfies  X0  and  X</>,  if  w  satisfies  (j).  The  only  difference  between  X<fi  and  X^ 
arises  when  considering  the  empty  trace  e.  Whereas  e  satisfies  X(j> ,  it  violates  Xcj).  Formula  </>iU</>2  represents 
an  until  property  and  is  satisfied  by  any  trace  which  satisfies  (j>i  until  <f>2  becomes  valid.  (fi\ V02  is  a  release 
formula  and  is  satisfied  by  any  trace  which  satisfies  (j)2  unless  this  formula  is  released  from  its  obligation  by 
the  truth  of  (f> i,  which  need  never  occur.  Finally,  we  may  introduce  the  derived  operators  G  (“generally”) 
and  F  (“eventually”),  already  used  in  Section  2,  by  defining  Q<j>  =df  ff V <f>  and  F (j)  =df  tt  U  0. 
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In  the  remainder  of  this  section  we  describe  how  to  construct  a  purely  nondeterministic  Biichi  process  B<f> 
from  LTL  formula  (j>  such  that  p  |=  <j)  if  and  only  if  B$  Eczf  P>  f°r  anY  labeled  transition  system  p.  We 
present  the  construction  of  B $  in  three  stages. 

4.2.2.  Constructing  Biichi  Processes:  Infinite  Traces.  To  begin  with,  we  concentrate  on  infinite 
traces  and  show  how  to  build  a  convergent  Biichi  process  B 'J  such  that  w  £  £b  (B^)  if  and  only  if  w  €  A°° 
and  w  0.  The  construction  of  B J  can  be  done  using  existing  techniques  [9,  15,  36]  for  converting 
traditional  LTL  formulas  into  Biichi  automata.  Note  that  formulas  X</>'  and  X0'  coincide,  for  any  6  T, 
when  considering  only  infinite  traces  as  models.  Using,  e.g.,  the  algorithm  of  [9],  one  may  build  a  Biichi 
automaton  whose  language  contains  the  infinite  traces  satisfying  <fi.  The  states  in  this  automaton  are  labeled 
by  sets  of  formulas,  and  the  construction  ensures  that  infinite  Biichi  traces  emanating  from  a  state  are 
guaranteed  to  satisfy  each  formula  labeling  this  state.  We  now  may  adapt  the  following  classical  result. 

Theorem  4.2.  Let  <f>  be  an  LTL  formula.  Then  there  exists  a  Biichi  process  B ^  such  that  w  (=  <j>  if  and 
only  ifwG  £b(B J),  for  all  w  G  A°° . 

One  may  immediately  derive  the  following  corollary. 

Corollary  4.3.  Let  p  be  a  convergent,  deadlock-free  labeled  transition  system,  and  let  <j>  be  an  LTL 
formula.  Then  p\=  <j>  if  and  only  if  £b(p)  Q  £b(B^). 

4.2.3.  Allowing  Finite  Maximal  Traces.  In  the  second  stage  of  our  construction  of  B we  show 
how  to  generate  a  Biichi  process  B ^  satisfying  w  (=  (j)  if  and  only  if  w  €  £b (Bfy  U  £m^x(B^),  for  any 
w  €  A*  U  A°°.  The  basic  approach  relies  on  altering  Biichi  process  B ^  to  handle  finite  traces.  More 
precisely,  for  every  state  s  in  B J  we  check  whether  all  formulas  contained  in  s  are  satisfied  by  the  deadlock 
trace  e.  Checking  for  acceptance  of  the  deadlock  trace  can  be  done  syntactically,  along  the  structure  of 
formulas.  Next,  for  every  state  s  in  B J  such  that  each  LTL  formula  <j>  labeling  5  is  satisfied  by  e,  we  add  a 
transition  5  —^4  6 ,  where  S  is  a  new  state  that  is  labeled  with  {Xff},  which  has  e  as  its  only  model.  However, 
since  we  give  deadlocks  a  meaning  in  form  of  state  S,  we  need  to  eliminate  other  states  having  no  outgoing 
transitions  in  B Such  states  correspond  to  logical  contradictions,  i.e.,  the  set  of  formulas  labeling  such 
states  is  not  satisfiable.  In  B |  we  eliminate  such  deadlock  states  by  removing  them  from  the  acceptance  set 
if  they  are  labeled  as  such,  and  then  adding  r-loops  at  each  of  these  states. 

Proposition  4.4.  Let  (j)  be  an  LTL  formula.  Then  there  exists  a  Biichi  process  B |  such  that: 

1.  Vw  €  A*,  w  \=  </)  if  and  only  if  w  £  £m3x(B^) 

2.  Vw  €  A°°.  w  \=  (j)  if  and  only  if  w  G  £b{B^) 

The  second  part  of  the  proposition  follows  immediately  from  Theorem  4.2,  since  and  B ^  possess  the  same 
Biichi  traces.  The  first  part  is  a  consequence  of  the  fact  that  (i)  our  construction  ensures  that  w  6  >Cmax(-P|) 
if  and  only  if  s  S  and  that  (ii)  s  ^  bolds  if  and  only  if  w  |=  <j>.  As  a  consequence  of  this  result, 

"  <t>  0 

we  obtain  the  following  theorem. 

THEOREM  4.5.  Let  p  be  a  convergent  labeled  transition  system,  and  let  (f)  be  an  LTL  formula.  Then 
p  |=  <P  if  and  only  if  Cmax(p)  C  £max(B|)  and  Cb(p)  C 

4.2.4.  Allowing  Divergent  Traces.  As  the  third  step  in  our  construction,  we  generate  a  Biichi 
process  B ^  that  additionally  takes  divergent  traces  of  labeled  transition  systems  into  account.  Recall  that 
for  general  labeled  transition  systems  p  we  defined  p  \=  <j)  if  w  f=  (p  for  all  w  G  £max(p)  U  £b(p)  U  £div(p)* 
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We  modify  to  a  Biichi  process  by  adding  divergent  states.  Intuitively,  the  divergent  states  of  B | 
should  have  the  following  property.  If  w  €  A*  is  such  that  w  •  w*  0  for  any  w'  E  A*  U  A°° ,  then  the  states 
reachable  in  B ^  via  w  should  be  divergent.  In  essence,  divergence  is  intended  to  capture  tautologies,  i.e., 
LTL  formulas  satisfied  by  any  trace.  The  construction  of  B |  relies  firstly  on  the  construction  of  a  traditional 
finite-state  machine  for  recognizing  words  in  A*  satisfying  the  aforementioned  property.  This  may  be  done 
as  follows. 

1.  Apply  the  traditional  subset  construction  to  determinize  B^.  The  label  of  each  state  in  the  deter- 
minized  automaton  will  be  a  set  of  sets  of  LTL  formulas. 

2.  For  each  state  s,  check  whether  the  formula  Vf^(s)  A $  is  a  tautology,  where  £(s)  is  the  set  of 
sets  of  formulas  labeling  s  in  the  determinized  automaton.  If  so,  mark  state  s  as  accepting.  Note 
that  the  tautology  check  can  be  performed  algorithmically,  although  a  consideration  of  this  point  is 
beyond  the  scope  of  this  paper. 

It  can  be  shown  that  a  finite  word  w  E  A*  is  accepted  by  the  resulting  automaton  A $  if  and  only  if  w  'W*  \=  <j) 
for  any  w '  E  A*  U  A°°.  We  may  now  build  B |  by  first  taking  the  synchronous  product  of  B ^  and  A#.  States 
in  this  product  have  the  form  {sb,sa),  where  sb  is  a  state  in  B^  and  sa  is  a  state  in  A#.  Such  a  state 
is  a  Biichi  accepting  state  in  if  sB  is  a  Biichi  state  in  B |  or  if  sa  is  an  accepting  state  in  A#.  In  the 
latter  case,  we  make  the  state  divergent  by  adding  a  r-loop  to  it.  We  also  add  a-loops  to  the  state,  for 
every  a  E  A,  as  well  as  a  r-transition  to  S.  This  construction  leads  to  the  following  lemma  and  proposition. 

Lemma  4.6.  Let  s  be  the  start  state  of  Biichi  process  B^,  and  let  w  6  A*  U  A°°  be  such  that  s  w- 
Then  w  -  w1  \ —(f),  for  any  w'  6  A*  U  A°° . 

Proposition  4.7.  Let  w  e  A*  U  A°°.  Then  w  \=  <f>  if  and  only  if  we£mUBl)U£B(Bl)Ujrdiv(B*). 

The  validity  of  this  proposition  is  due  to  Proposition  4.4  when  considering  that  B ^  possesses  by  construction 
the  same  maximal  traces  and  the  same  infinite  Biichi  traces  as  B^.  Thus,  only  the  direction  “4=”  for 
divergent  traces  w  E  £d\v(B^)  needs  to  be  established.  However,  this  case  is  taken  care  of  by  Lemma  4.6. 
Before  we  can  state  and  prove  our  main  result  of  this  section,  we  need  one  more  lemma. 

LEMMA  4.8.  Let  be  an  LTL  formula ,  and  let  p  be  a  labeled  transition  system  such  that  p  \=  <f>.  Then 
w  6  £div{p)  implies  w  E  £div(B^). 

The  proofs  of  this  lemma  follows  from  the  fact  that  if  w  G  £div  (p) ,  then  there  exists  a  finite  prefix  w*  of  w 
such  that  w*  •  w "  G  £& v(p).  This  implies  that  w '  must  lead  to  a  divergent  state  in  B Proposition  4.7 
and  Lemma  4.8  are  the  key  for  proving  the  following  theorem,  which  lifts  Corollary  4.2  and  Theorem  4.5  to 
arbitrary  labeled  transition  systems.  Its  proof  can  be  found  in  Appendix  A.4. 

THEOREM  4.9.  Let  p  be  a  labeled  transition  system  and  (j>  an  LTL  formula.  Then,  p  (=  <f>  if  and  only  if 


(0 

£div{p) 

c 

CdUBD 

(m) 

Cfin(p)  \CdUB*) 

c 

Cfin(Bl) 

(Hi) 

Bmaxip)  \ 

c 

{iv) 

CB(p)  \£d,v(B|) 

c 

£b(B|) 

Note  that  the  “=>”  direction  of  Theorem  4.9  is  invalid  if  p  is  allowed  to  be  an  arbitrary  Biichi  process.  As 
a  counter-example,  consider  p  =df  {{Pi,P2)P3},  {(Pi3a>P2),  (pu^Ps),  (P3>  &>P3)}50jPi)  and  (j>  =df  cl.  Then 
p\=a,  since  b°°  $  £b{p ),  and  b  G  Cfin(p)  \  ^div(^).  But  obviously  b  $  £\\ n(B%). 
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4.3.  Relating  LTL  Satisfaction  and  the  Biichi  Must-preorder.  As  the  last  step  in  relating 
the  LTL  satisfaction  relation  |=  to  the  Biichi  must-preorder  we  employ  B |  to  construct  a  Biichi 

process  B $  such  that  p  |=  <j>  if  and  only  if  B<f>  C££st  p.  We  first  note  that  for  any  <j>,  B |  can  be  transformed  to 
a  purely  nondeterministic  Biichi  process  B $  while  preserving  all  languages,  as  outlined  in  Section  4.1.  Thus, 
Theorem  4.9  is  valid  for  B $  as  well  as  for  B^.  By  combining  Theorems  4.1  and  4.9  we  obtain  the  desired 
main  result  as  a  corollary. 

Corollary  4.10  (Biichi  Must-testing  and  LTL  Model  Checking).  Let  p  be  a  labeled  transition  system 
and  (j)  be  an  LTL  formula.  Then  we  have  p\=  <j>  if  and  only  if  B $  1  p. 

As  a  consequence  of  this  corollary,  our  notion  of  Biichi  must-testing  not  only  extends  DeNicola  and  Hen- 
nessy’s  must-preorder  [11]  to  Biichi  processes,  as  well  as  the  variant  of  Biichi  must-testing  introduced  by 
Kumar  et  al.  [28],  but  is  also  compatible  with  the  satisfaction  relation  of  linear-time  logics. 


5.  Motivating  Example  —  Revisited.  In  this  section  we  illustrate  the  application  of  our  theory  by 
revisiting  and  formalizing  the  motivating  example  introduced  in  Section  2.  To  do  so,  we  need  to  define  two 
operators  on  Biichi  automata:  parallel  composition  and  restriction. 


Our  parallel  composition  operator  “|”  and  the  restriction  operator  \A,  where  A  C  A,  are  inspired  by 
the  ones  in  the  process  algebra  CCS  [27].  We  assume  that  alphabet  A  is  composed  of  two  sets  A\  and  A ?, 
representing  sending  and  receiving  actions ,  such  that  for  every  a!  6  A\  there  exists  a  corresponding  a?  6  A?, 
and  vice  versa.  Here,  a  should  be  interpreted  as  a  channel  name.  The  intuition  for  parallel  composition  in 
CCS  is  that  a  process  willing  to  send  a  message  on  channel  a  and  another  one  able  to  receive  a  message  on  a 
can  do  so  by  performing  the  actions  al  and  a?  in  synchrony  with  each  other.  This  handshake  is  invisible  to  an 
external  observer,  i.e.,  it  results  in  the  distinguished,  unobservable  action  r.  When  adapting  the  CCS  parallel 
operator  to  our  framework  of  Biichi  processes,  the  questions  that  naturally  arises  concerns  the  interpretation 
of  Biichi  traces.  We  adopt  the  following  point  of  view:  Intuitively,  “fair  merges”  of  Biichi  processes  p  and  q 
should  also  be  Biichi  traces  of  p\q.  Moreover,  a  Biichi  trace  of  one  process,  when  merged  with  a  finite  trace 
of  the  other  process,  should  result  in  a  Biichi  trace  of  p\q. 

Formally,  we  define  the- parallel  composition  of  Biichi  processes  (P, — >p,y/p)P)  and  (<S> — t0 
be  the  Biichi  process  (P\Q,  — >p|?,  where  P\Q  =df  {p'W  \ pf  e  P,q'  £  Q}U  {q'\pf  \p'  €  P,q'  e  Q }• 

The  transition  relation  — >v\q  is  the  least  relation  satisfying  the  following  rules. 


(1)  p' 

(2)  P'^PP" 

(3)  q'  q" 

(4)  pr  -24 p  p”  and  qf  q" 

(5)  p '  p”  and  qf  q  q" 

(6)  p'  Apj>"and<?'  A,*" 

(7)  p‘  p"  and  q'  q" 


implies  p'\q'  -^p\q  q'\p" 
implies  p'\q‘  -^v\q  p"\q' 
implies  p'\q'  —ip\q  q"\p' 
implies  p'\q'  ~^p\q  q"\p" 
implies  p'\q'  -^v\q  p"\q" 
implies  p'\q'  ~^v\q  q"\p" 
implies  p'\q'  -^p\q  p"\q" 


if  P'VP 

if  not  pVp 

if  P'VP 

if  not  pVp 
if  P'Vp 
if  not  pVp 


These  rules  are  in  accordance  with  our  above-mentioned  intuition  of  system  behavior.  The  “switching”  of 
the  states  of  p  and  q  in  Rules  (1),  (3),  (4),  and  (6)  allows  us  to  fairly  merge  “Biichi  traces  with  Biichi  traces” 
and  “Biichi  traces  with  finite  traces”  of  the  argument  Biichi  processes.  This  switching  is  also  done  for  logical 
conjunction  in  the  construction  of  Biichi  automata  from  LTL  formulas  [9].  Finally,  the  Biichi  predicate  t/p|9 
is  defined  by  p'|<jVp|,  if  pVp>  f°r  any  P'  6  P  and  q'  e  Q.  A  similar  construction  could  be  done  for  CSP-style 
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parallel  composition  [19].  The  unary  restriction  operator  \A ,  for  A  C  A,  essentially  is  a  scoping  mechanism 
on  channel  names.  Intuitively,  p  \  A  is  defined  as  the  Biichi  process  p,  except  that  all  transitions  labeled  by 
actions  a!  and  a?,  where  a  E  A,  are  eliminated.  One  can  now  obtain  the  desired  compositionality  result  of 
the  Biichi  may-  and  must-preorders  with  respect  to  the  new  operators. 

Proposition  5.1.  Let  pi,  p^}  qi  and  q2  be  Biichi  processes  and  AC  A.  Then 


(i) 

Pi 

i— may  ^ 

& CL  P2 

and  qL  E™/  q2 

implies 

Pl\Ql  QcL  P2|92- 

(ii) 

Pi 

ESf  P  2 

and  qi  Cgf  q2 

implies 

Pl\Ql  QcULStP2\<l2- 

(Hi) 

Pi 

implies 

p1\AE™lP2\A. 

(iv) 

Pi 

r~must  „ 

±zCL  P 2 

implies 

Pl\ACZfp.2\A 

The  proof  of  this  proposition  can  be  done  by  exploiting  the  characterizations  of  the  Biichi  may-  and  must- 
preorders  and  our  conservative  extension  results,  as  presented  in  Sections  3.3  and  3.4.  Regarding  finite 
traces,  one  can  then  adapt  the  corresponding  proofs  of  DeNicola  and  Hennessy  [11].  The  compositionality 
with  respect  to  Biichi  traces  is  straightforward  regarding  the  restriction  operator;  for  the  parallel  operator, 
it  is  a  consequence  of  the  formalization  of  our  intuition  of  fair  merging. 

Let  us  return  to  the  motivating  example  of  a  generic  communication  protocol.  To  demonstrate  that 
the  LTL  specification  of  the  sender  is  strong  enough  to  ensure  that  the  protocol  is  correct,  in  the  sense  of 
satisfying  the  temporal  formula  £Spec  given  in  Section  2,  we  may  use  the  results  of  this  paper  as  follows. 

1.  Construct  the  purely  nondeterministic  Biichi  process  Bspec  for  LTL  formula  Spec,  as  illustrated  in 
Section  4.2. 

2.  Construct  the  purely  nondeterministic  Biichi  process  lender  f°r  LTL  formula  Render  describing  the 
behavior  of  the  sender. 

3.  Assemble  the  overall  system:  System  —  df  (BSender  |  Medium  |  Receiver)  \  {put,  get, pack,  gack}. 

4.  Determine  whether  or  not  Bspec  ESl1  System. 

In  this  case,  the  answer  is  positive,  and  Proposition  5.1  guarantees  that  replacing  BSender  with  any  Biichi 
process  p  such  that  BSen der  ESif  P  will  ensure  that  the  overall  system  meets  its  specification.  If  p  is  a 
labeled  transition  system  then  BSender  Ecif  P  holds  exactly  when  p  |=  lender*  One  example  of  such  a  p  is 
the  labeled  transition  system  depicted  in  Figure  2.2. 

6.  Related  Work.  Other  researchers  have  also  investigated  formalisms  that  permit  some  form  of 
combined  assertional  and  operational  reasoning.  Of  most  direct  relevance  to  this  paper  is  the  work  of 
Kurshan  [23],  who  developed  a  theory  of  u-word  automata  that  includes  notions  of  synchronous  and  asyn¬ 
chronous  composition.  However,  his  underlying  semantic  model  maps  processes  to  their  maximal  (infinite) 
traces ,  and  the  associated  notion  of  refinement  is  (reverse)  trace  inclusion.  In  theories  of  concurrency  such  as 
CCS  [27]  and  CSP  [19],  in  which  deadlock  is  possible,  maximal  trace  inclusion  is  not  compositional  [26].  In 
contrast,  our  must-preorder  is  compositional,  at  least  for  the  operators  presented  here.  The  idea  of  testing 
was  also  adopted  by  Valmari  in  [35]  where  a  notion  of  tester  process  dealing  with  finite  and  infinite  traces, 
divergence,  and  failures  is  developed.  Other  work,  such  as  that  of  Kupferman  and  Vardi  [22],  Grumberg 
and  Long  [16],  and  Clarke,  Long  and  McMillan  [7]  investigated  modular  and  compositional  model-checking 
in  similar  non-deadlock  environments.  In  each  case,  temporal  formulas  are  used,  sometimes  in  conjunc¬ 
tion  with  additional  processes  to  capture  Environmental”  information  about  the  module  being  analyzed. 
Andersen  [1]  developed  an  approach  to  compositional  model  checking  in  which  formulas  are  “factored”  by 
parallel  components  given  as  labeled  transition  systems,  yielding  new  formulas  that  must  be  satisfied  by  the 
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system  comprising  the  remaining  components.  His  work  takes  place  in  the  setting  of  potentially  deadlocked 
processes,  although  the  problem  he  considered  is  more  narrowly  defined  than  the  one  studied  here. 

Relatively  more  work  has  been  devoted  to  analyzing  relationships  between  refinement  and  logical  ap¬ 
proaches.  One  line  of  study  relates  temporal-logic  specifications  to  refinement-based  ones  by  establishing 
that  one  system  refines  another  if  and  only  if  it  satisfies  the  same  properties.  Results  along  these  lines  were 
pioneered  by  Hennessy  and  Milner  [18]  for  bisimulation  equivalence  [27]  and  a  modal  logic  of  their  devis¬ 
ing  [27].  Stirling  developed  similar  characterizations  for  other  refinement  orderings  and  related  logics  [33]. 
The  ideas  were  also  adopted  by  Browne,  Clarke  and  Grumberg  [4]  regarding  bisimulation  equivalence  and  the 
branching-time  temporal  logic  CTL*,  by  Dams  [10]  for  several  variants  of  the  simulation  preorder  [27]  and 
the  logic  CTL,  and  by  DeNicola  and  Vaandrager  [12]  with  respect  to  branching  bisimulation.  Another  line  of 
research  involves  the  encoding  of  labeled  transition  systems  as  logical  formulas,  and  vice  versa.  Steffen  and 
Ingolfsdottir  [32]  defined  an  algorithm  for  converting  finite-state  labeled  transition  systems  into  formulas  in 
the  mu-calculus  [21],  while  Larsen  [24]  demonstrated  that  certain  mu-calculus  formulas  can  be  encoded  as 
bisimulation-based  implicit  specifications. 

Finally,  traditional  testing  has  also  been  enriched  with  notions  of  fairness  [2,  29].  These  results,  while  not 
addressing  the  issue  of  temporal  logic,  provide  an  alternative  means  —  besides  introducing  Biichi  states  — 
of  incorporating  notions  of  infinite  computation  into  labeled  transition  systems. 

7.  Conclusions  and  Future  Work.  In  this  paper  we  conservatively  extended  the  testing  theories 
of  DeNicola  and  Hennessy  [11]  and  Narayan  Kumar  et  al.  [28]  to  Biichi  processes.  We  illustrated  that 
Biichi  processes  provide  a  uniform  basis  for  analyzing  heterogeneous  reactive-system  specifications  given 
as  a  mixture  of  labeled  transition  systems  and  formulas  in  linear-time  temporal  logics  (LTL).  We  then 
studied  the  derived  Biichi  may-  and  must-preorders,  developed  alternative  characterizations,  and  showed 
that  the  Biichi  must-preorder  degrades  to  a  variant  of  reverse  trace  inclusion  when  its  first  argument  is 
purely  nondeterministic.  Using  the  latter  result,  we  established  that  standard  algorithms  for  constructing 
Biichi  processes  from  LTL  formulas  can  be  adapted  to  our  setting  in  such  a  way  that  LTL  model  checking 
reduces  to  checking  our  form  of  trace  inclusion.  In  a  nutshell,  we  proved  that 

LTL  m,odel  checking  =  Biichi  must-preorder  checking  +  pure  nondeterminism,. 

Hence,  LTL  model  checking  may  be  viewed  as  refinement.  To  illustrate  the  utility  of  our  novel  frame¬ 
work,  we  presented  several  operators  for  constructing  specifications,  argued  that  the  Biichi  must-preorder  is 
substitutive  for  the  operators,  and  gave  an  example  showing  how  they  may  be  used  to  build  system  designs. 

The  results  of  this  paper  are  important  first  steps  towards  a  more  ambitious  goal,  namely  developing 
languages  combining  operational  and  assertional  styles  of  specification.  Accordingly,  future  research  should 
focus  on  studying  languages  mixing  operators  from  process  algebras  and  LTL,  which  can  be  given  a  semantics 
in  terms  of  Biichi  processes.  For  specific  languages,  one  could  then  study  compositionality  issues,  fully 
abstractness,  and  axiomatic  characterizations  of  our  Biichi  must-preorder,  as  is  usually  done  in  the  field 
of  process  algebra.  For  the  sake  of  completing  the  theory  of  Biichi  testing,  we  intend  to  investigate  the 
consequences  of  restricting  our  framework  to  finite-state  tests.  Moreover,  we  want  to  explore  how  well- 
known  algorithms  for  computing  DeNicola  and  Hennessy’s  must-preorder  [8]  can  be  lifted  to  the  Biichi 
must-preorder  on  finite-state  Biichi  processes.  We  would  also  like  to  study  theories  supporting  branching¬ 
time  logics  as  well. 
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Appendix  A.  Proof  of  the  Main  Theorems. 


A.l.  Proof  of  Theorem  3.5.  Let  p  and  q  be  Biichi  processes. 

1.  For  proving  the  “=>” -direction,  we  distinguish  the  following  cases. 

•  we  £fin (p):  Then  pmaycLCay’*  by  Lemma  3.6(1)  and,  since  p  Q ,  also  g  maycL  *™ay’*- 
Applying  Lemma  3.6(1)  again,  we  obtain  w  G  £fjn(g),  as  desired. 

•  w  e  £b(p):  Here,  we  distinguish  the  cases  \w\  =  oo  and  |iu|  <  oo.  In  both  cases,  we  closely 

follow  the  lines  of  the  first  proof  part,  but  use  Lemma  3.6(2)  and  Biichi  test  as  well  as 

Lemma  (3)  and  Biichi  test  £2ay’d'v>  respectively,  instead  of  Lemma  3.6(1)  and  Biichi  test  £™ay’*. 

For  the  “4=” -direction,  assume  that  £  is  a  Biichi  test  satisfying  prnaycL^*  Then  there  exists  a 
successful  computation  c  G  C(p,t)  with  w  =df  trace (projp(c))  =  trace (projt(c)).  If  |w|  =  oo  we  have 
w  €  £b(p).  Hence,  w  e  £b (g),  and  we  can  construct  a  successful  computation  d  G  C(q,t).  The  case 
|u>|  <  oo  is  splitted  into  two  sub-cases  according  to  whether  w  G  £fjn(p)  or  w  G  £b (p)  •  In  either 
case  one  can  easily  establish  q  maycL  L  Therefore,  p  g,  as  desired. 

2.  For  the  “=>” -direction,  assume  p  q ,  and  let  w  G  A*  U  A°°  such  that  ptyw. 

(a)  Then  pmustcL^  by  Lemma  3.6(4)  and,  since  p  Cg£st  g,  also  g  must  cl  it-  Thus,  we  obtain 
qtyw  by  applying  Lemma  3.6(4)  again. 

(b)  |w|  <  oo:  Let  q  g'  for  some  g',  i.e.,  w  G  £fjn(g).  Assume  further  that  flp'.p  p'  and 
Xp(pf)  C  Xq(qf).  We  may  distinguish  the  following  cases. 

•  “P  :  Then  w  £fjn(p),  and  by  Lemma  3.6(5)  we  obtain  p  mustcL  £™ust’*-  However, 

-i (g  mustcL  Cust,+)  same  lemma* 

•  up  Let  A  =df  {XP(pf)  |  p  ===>  pf}  #  0.  By  assumption,  for  every  Ai  e  A  there  exists 

an  action  a*  G  A»  \  J9(g').  Let  B  7^  0  be  the  set  of  these  actions.  It  is  easy  to  see  that 
p  mustcL  due  t0  tIie  construction  of  Biichi  test  t™u§.  However,  -<(g  mustcL  since 
g'=^>g  for  all  actions  G  B. 

Hence,  p5$£St  9  which  is  a  contradiction. 

|to|  —  00:  Assume  w  $  £q (p).  Then  p  mustcL  00  by  Lemma  3.6(7)  and,  since  p 
also  g  mustcL  £™ust’°°.  But  then  w  £  £s(q)  holds  by  Lemma  3.6(7),  as  desired. 

For  the  proof  of  the  “<=” -direction,  let  t  G  T  such  that  -i(g  mustcL  £),  i.e.,  there  exists  an  un¬ 
successful  computation  c  =  ({(gi_i,  £{_i),ai,  (gi,£i)))o<i<fc  €  C(g,£).  Let  w  =df  trace(projg(c))  = 
trace(projt(c)).  If  p  ft  w,  we  can  construct  an  unsuccessful,  infinite  computation  d  which  resembles  c 
until  p  can  engage  in  its  divergent  Biichi  computation,  in  which  case  we  can  force  t  not  to  contribute 
to  d  any  more.  Thus,  d  is  an  unsuccessful  computation,  since  projp(c')  G  nB(p),  but  |proj*(c')|  <  00, 
i.e.,  projt(c')  £  nB(£). 

For  the  remainder  of  this  proof,  let  us  assume  p  ^  w,  i.e.,  w  £  £div(p)-  According  to  the  definition 
of  (un) successful  computations,  we  distinguish  the  following  two  cases. 

•  |c|  <  00:  Then  w  G  £j\ n(g),  g  g'  for  some  g',  and  4  £  Sue.  Due  to  the  maximality  of 

computations  we  also  have  qk-fi+q,  and  Xq(qk)  HZ*  (4)  =  0-  By  Condition  2(a)  of  the 

premise  (cf.,  right-hand  side  of  the  characterization  in  Theorem  3.5)  we  know  of  the  existence 
of  some  pl  such  that  p  p '  and  Xp(p()  C  Xq(q').  Using  these  facts  one  may  construct  a 
finite  computation  d  =  (((pi-i, **_!),  &i,  (Pi,  ^)))o<KZ  €  C(p,£)  with  projt(c')  =  proj*(c)  and 
(piA'i)  =  (p",4),  where  p'  p"  for  some  p"-^V  Note  that  such  a p"  must  exist  since p  ^  w. 
Moreover,  Xp(p,f)  C  Zp(p')  by  the  definition  of  Zp(*).  Because  Jp (pn)DXt (4)  C  Xg(g,)nJf  (£{)  =  0 
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holds,  c'  cannot  be  extended.  Finally,  c'  is  unsuccessful  since  t\  =  tk  £  Sue. 

•  |c|  =  oo:  Hence,  w  G  C&(q)  and,  since  Cs(q)  C.  £B (p),  also  w  G  £b(p)>  Then  it  is  straightforward 
to  construct  an  unsuccessful  computation  c'  G  C(p,t)  with  proj*(c')  —  proj^(c). 

In  both  cases  we  obtain  -i(pmustcL  £)•  Summarizing,  we  have  shown  for  an  arbitrary  test  t  G  T  that 
-i (q  mustcL  t)  implies  ->(pmustcL  £),  be.,  P  ESif  as  desired. 

This  finishes  the  proof  of  Theorem  3.5. 

A. 2.  Proof  of  Theorem  3.7.  Consider  image-finite  labeled  transition  systems  only. 

1.  Under  the  additional  assumption  of  convergence ,  the  definitions  of  and  the  Buchi-may  preorder 

introduced  by  Narayan  Kumar  et  al.  are  identical.  Narayan  Kumar  et  al.  showed  their  preorder  to 
coincide  with  CpjJ-;  hence,  also  and  ESh  coincide. 


Fig.  A.l.  (Counter-) example  demonstrating  the  necessity  of  the  image- finiteness  assumption 

2.  We  now  establish  =  Qdh  hy  showing  that  the  alternative  characterizations  of  these  preorders 
coincide  when  considering  the  setting  of  DeNicola  and  Hennessy.  The  alternative  characterization 
of  (ch  Theorem  3.5(2))  differs  from  the  one  of  CJ?LSt  in  two  ways:  (i)  the  definition  of  p  ^  w  and 
q  tyw  also  permits  the  case  w  G  A°° ,  and  (ii)  Condition  (b)  in  Theorem  3.5(2)  for  |w|  —  oo  is  missing. 
Regarding  the  first  point  of  departure,  our  definition  of  divergence  implies  for  all  w  =  (a*)^  £  *4°° 
the  following. 

Vk  G  N.  (pi\-wk  implies  qfywk)  implies  (ptyw  implies  q  w) 

where  wk  =df  (ai)0<i<k  €  -4*-  Thus,  Condition  (a)  of  Theorem  3.5(2)  for  infinite  w  is  already 
implied  by  the  same  condition  for  all  finite  prefixes  of  w.  Moreover,  our  definition  of  divergence 
coincides  with  the  one  of  DeNicola  and  Hennessy  for  labeled  transition  systems.  The  second  point 
of  departure  can  be  addressed  in  a  similar  fashion.  In  fact,  it  is  easy  to  establish  that  the  following 
holds  for  image-finite  labeled  transition  systems  p  and  q  and  for  all  w  —  (a?;),;GN  £  A°°  such  that 
p  w  and  q  ^  w. 

VA;  G  N.  ( wk  G  £fin(tf)  implies  wk  G  Ain(p))  implies  (w  G  £b ((?)  implies  w  G  £b{p)) 

where  wk  =df  (cii)o<i<k  €  A*.  Note  that  in  the  case  where  w  G  A*,  the  ^-convergence  of  q 
implies  w  ^  £B  (tf).  As  a  consequence,  Condition  (a)  implies  Condition  (b)  under  the  assumptions  of 
Theorem  3.7.  A  (counter-) example  demonstrating  the  necessity  of  the  image-finiteness  assumption 
is  depicted  in  Figure  A.l. 

Thus,  the  Biichi  may-  and  must-preorders  coincide  with  DeNicola  and  Hennessy’s  may-  and  must-preorders 
in  the  considered  setting,  as  desired. 
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A.3.  Proof  of  Theorem  4.1.  For  the  proof  of  the  “==>”• -direction,  assume  that  p  Ecif  and  ^et 
we  A*  U  A°°.  Then 

•  we  Aiv(<?)  if  q  ft  w.  By  Lemma  3.6(4)  we  have  -*{q  mustcL  ^)-  Since  p  CJrVJf  q  also  ->(p  mustcL  t%) 
holds,  i.e.,  p  ft  w  by  applying  Lemma  3.6(4)  again.  Thus,  w  e  Aiv(p)* 

•  w€  Ain(tf)  \  Aiv(p)  implies  w  e  Ain (p),  p  w7  and  also  q  ^  w  by  Equation  4.1(1).  By  Lemma  3.6(5) 
we  conclude  ->(q  mustcL  Cust’*)*  Because  of  the  premise  p  Cgf*  q  also  ->(p  mustcL  Cust’*)  holds,  i.e., 
w  e  Ain(p)  by  Lemma  3.6(5). 

•  The  cases  w  €  £ma x(q)  \  Aiv(p)  and  w  e  £B{q)  \  Ai v(p)  are  similar  to  the  previous  one  but  refer 
to  Lemma  3.6(6)  and  Lemma  3.6(7),  respectively.  As  desired,  we  may  obtain  w  e  £ma x(p)  and 
w  e  £B  (p),  respectively. 

Note  that  this  proof  direction  does  not  require  p  to  be  purely  nondeterministic. 

For  establishing  the  “4=”-direction,  assume  that  the  language  inclusions  of  Equation  4.1  hold.  More¬ 
over,  assume  the  existence  of  a  Buchi  test  t  such  that  —i(q  mustcL  <0-  Thus,  there  exists  an  unsuccessful 
computation  c  =  (((ft-i,  ^_x),  ai7  (qu  *i)))o«<*  €  C{q,t)  with  w  =df  trace(proj9(c))  =  trace(proj*(c)).  If 
p  ft  w,  then  we  can  construct  an  unsuccessful,  infinite  computation  c'  which  resembles  c  until  p  can  engage 
in  its  divergent  Buchi  computation,  at  which  point  t  can  be  forced  to  stop  contributing  to  d .  As  desired, 
computation  d  is  unsuccessful  since  projp(c')  6  nB(p),  but  |proj*(c')|  <  oo,  i.e.,  projt(c')  ^  nB(t). 

For  the  remainder  of  this  proof,  let  us  assume  p  w,  i.e.,  w  (fc  Aiv(p)*  According  to  the  definition  of 
(un) successful  computations,  we  distinguish  the  following  two  cases. 

1.  |c|  <  oo:  Here,  we  have  tk  £  Sue. 

(a)  w  e  Ana x{q)'  By  Premise  4.1  (iii)  we  have  w  e  £max(p)«  Then  we  can  construct  a  finite  compu¬ 
tation  d  =  «(p<— 6  C(p,t)  with  projt(c')  =  proj*(c)  and  t\  =  t*.  Thus, 
d  is  unsuccessful,  since  \d\  <  oo  and  t\  £  Sue. 

(b)  w  e  Ain (q)  \  £max(g):  In  this  case,  we  know  of  the  existence  of  some  a  e  A  such  that  qk  ~^q 

and,  because  of  the  maximality  of  computations,  Thus,  w  ■  a  e  Ain(?)  holds,  and  by 

Premise  4.1(iv)  we  have  w  •  a  e  Ai n(p)-  Since  p  is  purely  nondeterministic ,  we  may  construct 
a  finite  computation  d  =  (((pi_i,  (PiAi)))o<i<i  G  C(p,t),  where  proj£(c')  —  projt(c), 

t[  —  tk  and  pi  — »p.  Indeed,  d  is  maximal  since  t[-^t  and  pj-y4p  for  all  b  ^  a.  Moreover,  d 
is  unsuccessful,  because  \d\  <  oo  and  t\  £  Sue. 

2.  |c|  =  oo:  Here,  projf(c)  £  nB(t).  By  Premise  4.1(iv)  and  since  proj9(c)  e  ILs{q)  due  to  the  definition 
of  computation,  we  have  w  e  £B(p).  Hence,  we  can  construct  an  infinite  computation  d  e  C(p,t) 
such  that  proj^c')  =  projt(c).  As  a  consequence,  also  d  is  unsuccessful. 

Thus,  -»(p  mustcL  t)  and,  further,  p  q ,  as  desired. 

A. 4.  Proof  of  Theorem  4.9.  For  establishing  the  “=>”  direction,  let  p  |=  <j>,  i.e.,  w  \=  <j)  for  all 
w  e  £ma x(p)  U  £b{p)  U  Aiv(p)-  By  Proposition  4.7  we  also  have  w  e  £max  (B|)u£B(^)U£div(S|).  We  may 
distinguish  the  following  cases. 

1.  Case  w  e  £div{p)-‘  This  case  is  taken  care  of  by  Lemma  4.8. 

2.  Case  w  e  £f,n{p)  \  A *v(B|);  Since  p  is  a  labeled  transition  system,  w  6  Ain(p)  is  always  a  finite 
prefix  of  a  maximal  trace  or  an  infinite  (Buchi)  trace.  Hence,  we  may  conclude  the  existence  of  some 
w(  e  A*  UA°°  such  that  w-wf  e  £max(^)U£B(^)U  Aiv(^).  The  other  three  inclusions,  together 
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with  the  fact  that  by  construction,  every  divergent  state  s  in  B |  satisfies  £max(s)  =  A*,  we  obtain 
w  G  £i\n(B^),  as  desired. 

3.  Case  w  G  £max{p)  \  £div{B^):  Hence,  w  G  A*  and,  together  with  Proposition  4.7,  w  €  £max(£|). 

4.  Case  w  G  £b(p)  \  £div(B '|);  Then,  w  G  .A00,  and  as  a  consequence  of  Proposition  4.7,  w  G  £b(^)- 

Thus  the  language  inclusions  stated  in  equations  (i)  through  (iv)  are  valid. 

For  proving  the  “<=”  direction,  assume  that  p  0,  i.e.,  3w  G  £max(p)  U  £q (p)  U  £& v(p)-  w  By 
Proposition  4.7  we  also  know  w  $  £max(£|),  w  £  £b(£J),  and  w  $  £<\\ V(B|).  We  distinguish  the  following 
cases. 

1.  Case  w  G  £max(p).*  Then,  re  G  £max(p)  \  £div(£p*  However,  iu  £  £max(H|),  which  contradicts 
Inclusion  (iii). 

2.  Case  w  G  £e(p):  Hence,  w  G  £b(p)  \  Cdiv(^)*  However,  w  <£  £b (B$),  which  is  a  contradiction  to 
Inclusion  (iv). 

3.  Case  w  G  £div{p)  *  But  w  $  £di v(B$)i  which  contradicts  Inclusion  (i). 

Thus,  direction  “<=”  holds,  as  desired. 
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